Merge v8 from https://chromium.googlesource.com/v8/v8.git at 1bf660fafd6c66fe862d5eef0b06e53e9967621b
This commit was generated by merge_from_chromium.py.
Change-Id: I4b1720f1122aabee908b5766cece348cee2b6f35
diff --git a/src/heap/spaces.cc b/src/heap/spaces.cc
index a73833f..68425c0 100644
--- a/src/heap/spaces.cc
+++ b/src/heap/spaces.cc
@@ -140,7 +140,8 @@
base += kReservedCodeRangePages * base::OS::CommitPageSize();
}
Address aligned_base = RoundUp(base, MemoryChunk::kAlignment);
- size_t size = code_range_->size() - (aligned_base - base);
+ size_t size = code_range_->size() - (aligned_base - base) -
+ kReservedCodeRangePages * base::OS::CommitPageSize();
allocation_list_.Add(FreeBlock(aligned_base, size));
current_allocation_block_index_ = 0;
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 31fcd4c..1028a07 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8301,6 +8301,7 @@
if (receiver_map.is_null()) return false;
if (receiver_map->instance_type() != JS_ARRAY_TYPE) return false;
ElementsKind elements_kind = receiver_map->elements_kind();
+ if (JSArray::IsReadOnlyLengthDescriptor(receiver_map)) return false;
if (!IsFastElementsKind(elements_kind)) return false;
if (receiver_map->is_observed()) return false;
if (!receiver_map->is_extensible()) return false;
@@ -8418,6 +8419,7 @@
if (receiver_map.is_null()) return false;
if (receiver_map->instance_type() != JS_ARRAY_TYPE) return false;
ElementsKind kind = receiver_map->elements_kind();
+ if (JSArray::IsReadOnlyLengthDescriptor(receiver_map)) return false;
if (!IsFastElementsKind(kind)) return false;
if (receiver_map->is_observed()) return false;
if (!receiver_map->is_extensible()) return false;
@@ -8490,10 +8492,12 @@
graph()->GetConstant0(), new_length, Token::LT);
HValue* key = AddUncasted<HAdd>(new_key, graph()->GetConstant1());
key->ClearFlag(HValue::kCanOverflow);
+ ElementsKind copy_kind =
+ kind == FAST_HOLEY_SMI_ELEMENTS ? FAST_HOLEY_ELEMENTS : kind;
HValue* element = AddUncasted<HLoadKeyed>(
- elements, key, lengthiszero, kind, ALLOW_RETURN_HOLE);
- HStoreKeyed* store = Add<HStoreKeyed>(
- elements, new_key, element, kind);
+ elements, key, lengthiszero, copy_kind, ALLOW_RETURN_HOLE);
+ HStoreKeyed* store =
+ Add<HStoreKeyed>(elements, new_key, element, copy_kind);
store->SetFlag(HValue::kAllowUndefinedAsNaN);
}
loop.EndBody();
@@ -11314,11 +11318,13 @@
site_context->ExitScope(current_site, value_object);
Add<HStoreKeyed>(object_elements, key_constant, result, kind);
} else {
- HInstruction* value_instruction =
- Add<HLoadKeyed>(boilerplate_elements, key_constant,
- static_cast<HValue*>(NULL), kind,
- ALLOW_RETURN_HOLE);
- Add<HStoreKeyed>(object_elements, key_constant, value_instruction, kind);
+ ElementsKind copy_kind =
+ kind == FAST_HOLEY_SMI_ELEMENTS ? FAST_HOLEY_ELEMENTS : kind;
+ HInstruction* value_instruction = Add<HLoadKeyed>(
+ boilerplate_elements, key_constant, static_cast<HValue*>(NULL),
+ copy_kind, ALLOW_RETURN_HOLE);
+ Add<HStoreKeyed>(object_elements, key_constant, value_instruction,
+ copy_kind);
}
}
}
diff --git a/src/version.cc b/src/version.cc
index 81515d1..a299745 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 30
#define BUILD_NUMBER 33
-#define PATCH_LEVEL 13
+#define PATCH_LEVEL 15
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
diff --git a/test/cctest/test-alloc.cc b/test/cctest/test-alloc.cc
index 54d516e..2e071ac 100644
--- a/test/cctest/test-alloc.cc
+++ b/test/cctest/test-alloc.cc
@@ -198,7 +198,8 @@
const size_t code_range_size = 32*MB;
CcTest::InitializeVM();
CodeRange code_range(reinterpret_cast<Isolate*>(CcTest::isolate()));
- code_range.SetUp(code_range_size);
+ code_range.SetUp(code_range_size +
+ kReservedCodeRangePages * v8::base::OS::CommitPageSize());
size_t current_allocated = 0;
size_t total_allocated = 0;
List< ::Block> blocks(1000);
diff --git a/test/mjsunit/array-shift4.js b/test/mjsunit/array-shift4.js
new file mode 100644
index 0000000..669b11a
--- /dev/null
+++ b/test/mjsunit/array-shift4.js
@@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Inlining shift with holey smi arrays shouldn't deopt just because it
+// encounters the hole on the copy step.
+function doShift(a) {
+ var x = a.shift();
+ return x;
+}
+
+function makeArray() {
+ var a = [1, 2,, 3];
+ a[0] = 2;
+ return a;
+}
+
+doShift(makeArray());
+doShift(makeArray());
+%OptimizeFunctionOnNextCall(doShift);
+doShift(makeArray());
+assertOptimized(doShift);
diff --git a/test/mjsunit/regress/regress-435073.js b/test/mjsunit/regress/regress-435073.js
new file mode 100644
index 0000000..dbaa612
--- /dev/null
+++ b/test/mjsunit/regress/regress-435073.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap
+
+function test(x) { [x,,]; }
+
+test(0);
+test(0);
+%OptimizeFunctionOnNextCall(test);
+test(0);
